[PATCH 12/36] cmd/libsnap-confine-private: Don't fail open on apparmor confinement
aa_is_enabled() can be made to fail by setting low open file limits or
similar - in this case, snap-confine would continue executing as though it
were unconfined. However, this can be detected by checking errno more
closely - so only fail open when we know AppArmor either is not supported
or has been explicitly disabled at boot and otherwise fail closed.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Gbp-Pq: Topic cve202144730
Gbp-Pq: Name 0012-cmd-libsnap-confine-private-Don-t-fail-open-on-appar.patch
projects / snapd.git / commit